Plug-In Raises Firefox Security Doubts

Plug-ins have become an integral part of many applications, but allowing third-party code to execute always poses security risks. ActiveX controls in Internet Explorer have been blamed for many of the browser's vulnerabilities. Now, it appears that Firefox -- vaunted for its security -- may be affected by similar problems.

A serious vulnerability has been discovered in a popular extension for Firefox, leading the developer to recommend Tuesday to either install a crippled version of the plug-in or uninstall it altogether.

The vulnerability affects Greasemonkey, an add-on that enables Firefox to change portions of a Web site's design to fit the user's needs. The flaw could allow a malicious page to read any local file on a user's machine, or list the contents of a local directory.

Worse yet, the vulnerability could be exploited regardless of the platform Greasemonkey is installed upon.

"I'm working feverishly on a fix for this. But this will take several days," Aaron Boodman, one of the authors of the extension, wrote in his Web log. "In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely."

Although Boodman received no reports of the flaw being exploited, he said due to the problem becoming public knowledge it was no longer safe to use the extension. He said installing version 0.3.5 of Greasemonkey, which has the offending portions of code disabled, was the only way to ensure system security.

This latest problem with extensions has some questioning whether Firefox is truly any more secure than Internet Explorer, as the Mozilla Foundation has claimed repeatedly.

Attackers have long used IE's support for ActiveX plug-ins to infiltrate a system, and some now say the same can be done using Firefox's extensions.

"Isn't this a huge hole in Firefox as a whole? What is to stop extensions from being added to my browser that open it up to malicious content? Isn't this the same as the problems that IE has? IE is fine until you start allowing plug-ins, add-ons and scripts," one user wrote on the Slashdot technology Web log.

Boodman apologized for the security hole and said he realized how much of an inconvenience the problem might be to some users. He promised a patch for the issue as soon as possible.